package jdbc;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Scanner;

/**
 * 使用预编译SQL语句执行SELECT操作，避免SQL注入问题
 */
public class JDBCDemo9 {
    public static void main(String[] args) {
        System.out.println("欢迎登录");
        Scanner scanner = new Scanner(System.in);
        System.out.println("请输入用户名:");
        String username = scanner.nextLine();
        System.out.println("请输入密码:");
        String password = scanner.nextLine();

        try (Connection connection = DBUtil.getConnection();){
            String sql = "SELECT id,username,password,nickname,age " +
                         "FROM userinfo " +
                         "WHERE username=? AND password=?";
            //创建PreparedStatement时先将预编译SQL语句发送给数据库，将语义定死
            PreparedStatement ps = connection.prepareStatement(sql);
            //然后指定两个?对应的值分别是什么
            ps.setString(1,username);
            ps.setString(2,password);// a' OR '1'='1
            //执行查询，此时不需要在传入SQL语句了，那执行会将两个?对应的值发送给数据库
            ResultSet rs = ps.executeQuery();
            if(rs.next()){
                String nickname = rs.getString("nickname");
                System.out.println("登录成功,欢迎【"+nickname+"】回来");
            }else{
                System.out.println("登录失败");
            }


        } catch (SQLException e) {
            e.printStackTrace();
        }
    }
}










